InfoSecCon - CorreLog Peter Mills_final

Bridge the Gap: How to Use an Enterprise

Product You Already Own to Enhance z/OS

Security

Peter Mills Vice President Development & Support

CorreLog, Inc.

[email protected]

© 2015 CorreLog, Inc.

mailto:[email protected]


Agenda

• Preface: Two Worlds of IT security

• Real-time Alerts: Make your mainframe

more secure by taking advantage of the

security tools you probably already have

• Why, What, How

• Brief Introduction to SIEM Systems

Preface: Two Worlds of IT Security

Security in the Mainframe World


Security in the Network World

Security Operations Center

SIEM

Web Server

Routers

Firewalls

Linux Windows

Unix

The Two Meanings of “Syslog”

• z/OS SYSLOG: “a data set residing in the primary job entry subsystem's spool space … used by application and system programmers to record communications about problem programs and system functions.” – MVS Planning: Operations

• That is not what the rest of the IT

industry means by “Syslog”


“Syslog” – The Network Security

Meaning

• “The BSD syslog Protocol” – IETF RFC 3164 and follow-ons RFC 5424,

5425, 5426 and 6587

– Almost free-format text (ASCII) messages – <34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8

• <34> is encoded “facility” (security) and severity (critical)

– Transmitted via UDP or TCP/IP with optional SSL/TLS encryption

– Generated by routers, firewalls, UNIX systems, etc.

• No native Syslog capability: Windows and z/OS


What’s a SIEM?

• Security Information and Event Management

• Collects Syslog messages

• Filtering

• Correlation: pattern recognition; establishing relationships among messages and events

• IP Geo-location

• Real-time Alerts

• Log management: cost-effective forensic (tamper-proof or tamper-evident) storage, indexing, analysis, search and reporting

• User and Application Monitoring

• Compliance reporting

• You probably spent or are spending at least six figures on a SIEM

Real-Time Alerts: Let your mainframe take

advantage of network security tools


Mainframe in the Network Security World


SIEM

Web Server

Routers

Firewalls

Linux Windows

Unix


Why Integrate z/OS into your SIEM?

• Compliance: PCI DSS, HIPAA, GLBA, SOX, IRS Pub. 1075

– You need to include the box with 70% of the data

– CISOs and Auditors are discovering the mainframe

• z/OS is not invulnerable

– You already paid for a SIEM – why not use it to help protect z/OS?

– Add z/OS to the correlation mix

Aren’t Mainframes Inherently Secure?

• “The mainframe is the most securable platform”

– Mark Wilson, RSM Partners, SHARE 2014

• “Insider threats are the leading

cause of data breaches in the

last 12 months” – Understand

The State Of Data Security And

Privacy: 2013 To 2014, Forrester

Research

Source: Wikimedia

Edward Snowden

• Is your mainframe more secure

than the NSA’s?

Yes, z/OS Can be Breached!

• Per Gottfrid Svartholm Warg, alias anakata, co-founder of The Pirate Bay, a digital content piracy sharing site

• Convicted of violating Swedish copyright law in 2009 – flees to Cambodia

• Pursues vendetta against MPAA lawyer Monique Wadsted

• In 2010, hacks into her account on Infotorg, a browser-accessed database hosted on z/OS at Logica, a Swedish service bureau

• Hacks continue in 2011 and 2012

• Leverages CGI shell command injection into full scale hack against Logica during first quarter of 2012

The Breach Becomes a Crisis

• Data including government agency files, credit cards, and 10,000 social security numbers

• Downloaded RACF databases, used password cracking tool* to decrypt thousands of passwords

• Installed backdoor to allow easy ongoing access

• Attempted to transfer 5.7 million Swedish kronor (~US$600,000) from Nordea Bank to accomplices

• Logica unable to contain breach and invokes Swedish “national event”

• Svartholm and an accomplice extradited from Cambodia and convicted June 2013

*John The Ripper – you can Google it –

includes explicit support for RACF

password decryption

Source: Wikimedia

“Hackers against Society”

• Breach of CSC Denmark mainframe, April to August, 2012

• Downloaded and also may have modified information in the driver’s license registry and the Schengen database of wanted persons

• Same mainframe also served Danish Tax Authority, the citizen ID number registry and other public agencies

• October 31, 2014 Svartholm convicted and sentenced to three-and-one-half years in prison in Denmark. He is appealing


Your Mainframe is not a Silo

• You may have separate mainframe and

network security teams, but hackers do

not

• Breaches are systemic, not platform-

specific

• Warg and his accomplices moved freely

among PC, Web, z/OS, UNIX – and

Hercules

• Protect your mainframe by correlating the

indicators


Correlation is Power

• More failed TSO logons than normal may

not be significant …

• But what if correlated with more intrusion

detection system hits than normal, more

firewall hits than normal, more Web logon

failures than normal?

• That is what SIEM systems do – think how

powerful to add your mainframe into the

mix


“Call the Doctor, not the Undertaker”

• Traditional mainframe approach is nightly reports

• But you want to find out about a breach now, not tomorrow morning

• The Network Security World has real-time tools – why not utilize them? – When was the last time a batch report sent you a text?

• Leverage the SIEM software you probably already own for real-time alerts

• Separation of duties: move the mainframe log files off the mainframe

• PCI DSS, IRS Pub. 1075, SOX all require secure, archived log of accesses – why use gigabytes of mainframe DASD?


z/OS Events Available Real-time

• Everything RACF, ACF2 and Top Secret – Failures only, or audit successes too

• File integrity: who modified critical or sensitive files? – PDS, QSAM, VSAM and UNIX files written

– Renames and Scratches

• Start and end of TSO sessions – Optionally started tasks, batch jobs, ABENDs, etc.

• TCP/IP, TN3270 and FTP sessions and failures

• New! IND$FILE events

• Everything needed from DB2 for PCI DSS

• Audited CICS Transactions

• Partner events: NewEra, Vanguard, …

• Console messages, IMS, …

• All real-time – no periodic FTP


What IP Address Edited

SYS1.PARMLIB?

<69>Mar 26 05:18:00 mvssysb TCP/IP: Subtype:

Telnet SNA init - TermNm: TCPB2931 - RemtIP:

58.14.0.140

<29>Mar 26 05:18:22 mvssysb SMF: Start - Work: TSO - JobID: TSU00863 - Group: RESTRICT - UserID: SYS013B - TermNm: TCPB2931

<118>Mar 26 05:22:09 mvssysb DFSMS: Action:

Add/Replace - JobNm: RU018A - Step: $TSUSER -

Proc: $TSUSER - DSN: SYS1.PARMLIB - Vol: LS0501

- Flag: Replace - Mem: IEAAPF00 - UserID:

SYS013B - POE: TCPB2931 - Group: RESTRICT


RACF Events

<35>Nov 27 19:44:00 SYSB RACF: RESOURCE

ACCESS: Insufficient Auth - UserID: RU018B -

Group: RESTRICT - Reas: AUDIT option - Job:

RU018BTR - Res: SYS1.PROD.PROCLIBT - Req: READ

- Allow: NONE - Vol: SYS001 - Type: DATASET -

Prof: SYS1.PROD.PROCLIBT - Owner: DATASET -

Name: ROBERT SMITH - POE: INTRDR

<35>May 14 11:11:46 SYSB RACF: INIT/LOGON:

Invalid Password - UserID: QAMLB2 - Group:

TSOHOLD - Auth: 00 - Reas: VERIFY failure -

Term: TCPA2959 - Name: MARIE BERGERON - POE:

TCPA2959


ACF2 Security Events

• Logon ID Modification, Dataset & Program Security Journal, Invalid Password Authority, Resource Access Violation, Restricted Logon ID and similar mainframe security events

• Example: mvssysb ACF2: EventDesc: Logonid modification - ChgDesc: Delete - JobNm: DECRO01 - UserID: DECRO01 - Pgm: ACF02ALT - Name: ROSS DECENT - Rel#: 140 - RdrTime: 2012-07-03T16:19:43.880 - ASID: XE34 - DelTime: 2012-07-03T17:19:51.028 - UID: OMVSDGRPAAABDECRO01

Type of Event User ID

User Name


File Integrity Monitoring

• Be alerted to modifications of critical

system files

SYSB RACF: RESOURCE ACCESS: Successful

Access - UserID: RU018B - Group: RESTRICT -

Auth: Normal check - Reas: AUDIT option -

Term: TCPA2953 - Job: RU018B - Res:

RU018B.AUDITALL.TEST1 - Req: UPDATE - Allow:

ALTER - Vol: LS0158 - Type: DATASET - Prof:

RU018B.AUDITALL.* - Name: ROBERT SMITH

User

Name

Type of Access

Terminal

File Name


TCP/IP and FTP Events

<69>Mar 26 17:32:46 mvssysb TCP/IP: Subtype: FTP

server complete - Stack: TCPIP - Op: Retrieve -

FileType: SEQ - RemtDataIP: ::ffff:10.31.0.209 -

UserID: RX239JB - DStype: HFS - Start: 11037

22:32:45.21 - Dur: 0.78 - Bytes: 56324 - SessID:

FTPD100335 - DSN: /u/rx239jb/Source/Fields.C -

Security: {Mech: None - CtlProt: None - DataProt:

None - Login: Password}

<69>Mar 25 18:53:21 mvssysb TCP/IP: Subtype: FTP

server logon fail - Stack: TCPIP - AS: FTPD1 -

UserID: DV174A - RemtIP: ::ffff:10.10.8.66 -

LogonUserID: DV174A - Reas: Password invalid -

SessID: FTPD100026 - Security: {Mech: None -

CtlProt: None - DataProt: Undefined - Login:

Password}

IND$File Events


New! IND$defender

• IND$FILE is a useful tool but completely

unaudited • May 28 16:18:10 MVSSYSB CorreLog: SubT:

IND$FILE Audit - SubCmd: GET - DSN:

SYSP.DB2.DBRMLIB.DATA - Mem: DSN8BC3 -

Type: Partitioned - RdrTime: 2015-05-

28T20:16:41.164 - UserID: DEV013 - Name:

CHARLES MILLS - Group: RESTRICT - RemtIP:

129.42.38.1 - JobID: TSU00637 - TermNm:

NVA00076 - Dur: P00:00:02.660


UNIX File System Events

Jun 20 14:33:35 mvssysb zFS: APID: 67305918 - Cat: zFS - OGroup: 675 - JobNm: MDRZ620A - PGroup: 84083495 - PID: 84083495 - Group: ZDEV - Start: 2014-06-20T11:56:49.390 - Uid: DV001 - SessID: 84083495 - StepNm: MDRZSYS - SubT: File close - OUid: 500021 - In: 4255 - DirBlks: 10 - DevNo: 0069 - Inode: 133 - BlksRead: 2 - FName: /source/views/$shared$.views.xml - Reads: 3 - Close: 2014-06-20T14:33:34.879 - Token: 6943232 - Open: 2014-06-20T14:33:34.856 - Type: Regular

Full path name

OMVS UID

z/OS Job Name


Operational Events

<29>Mar 04 04:42:01 mvssysb SMF:

End - Work: STC - Sysname: SYSB

- JobNm: MITDB41T - JobID:

STC07802 - Step#: 1 - Group:

DFLTSTC - UID: LSCSTC - RC:

U0011-0


DB2 Events

<110>Mar 24 15:29:00 mvssysb DB2: Subsys: DA1L -

IFCID: Audit administrative authorities - UserID:

RU018B - AuthID: RU018B - CorrID: RU018BD3 - Auth:

SYSADM - Priv: SELECT - ObjType: Table or view -

Cmd: SELECT * FROM SYSIBM.SYSTABLES - SrcQual:

SYSIBM - Src: SYSTABLES

<110>Mar 24 15:44:20 mvssysb DB2: Subsys: DA1L -

IFCID: Authorization failures - UserID: RU018A -

AuthID: RU018A - CorrID: RU018ADS - Priv: SELECT -

ObjType: Table or view - SrcQual: CORE1010 - Src:

NEWPHONE - Node: JES2SYSB - Group: RESTRICT - POE:

INTRDR - Sql: SELECT * FROM CORE1010.NEWPHONE

Introduction to SIEMs


Types of SIEMs

• Conventional Software/Appliance/Virtual Appliance – Running on Linux, UNIX or Windows

– HP ArcSight ESM

– IBM Security QRadar

– LogRhythm

– AlienVault (Open Source)

– McAfee (Intel Security) ESM

– RSA (EMC) Security Analytics (enVision)

– CorreLog SIEM Correlation Server

– Splunk – do not call themselves a SIEM but customers use as a SIEM, and Gartner positions as a SIEM

SIEM in the Cloud: MSSP

• Managed Security

Service Provider

– Some are hybrids with

on-site “concentrator”

appliance

– Dell SecureWorks

– IBM Managed Security

Services

– Verizon

– NTT Solutionary

Correlation

Real-Time Text Alerts

Compliance Scorecards

z/OS to SIEM Integration

• ArcSight and QRadar include free or low-cost connectors – Frequent FTP

– Limited functionality

• Splunk-specific agent from Syncsort

• CorreLog SIEM Agent for z/OS – SIEM Agnostic

– 100% Real-time

CorreLog SIEM

Agent for z/OS

Any SIEM

or MSSP

No intermediate

“formatting box”

UDP, TCP/IP or

ICSF-encrypted

TCP/IP


SIEM Agnostic

• HP ArcSight CEF Certified

• IBM Security QRadar “Ready for Security Intelligence”

• Intel Security (McAfee Nitro) Partner

• NTT Solutionary Partner

• RSA Security Analytics Certified

• Dell SecureWorks

• LogRhythm

• Splunk


z/OS Events in HP ArcSight ESM

z/OS Events in Splunk


z/OS Events in Splunk App

CorreLog Visualizer for z/OS


SIEM

z/OS Departmental SIEM

z/OS Group


Mainframe Events in z/OS

Visualizer

Point-and-Click Drill-Down to Detail


CorreLog z/OS Agent + Visualizer

• Compatible with – will “front end” – any

enterprise SIEM

• Point-and-click window into z/OS events

– Security, TSO, started tasks, ABENDs, FTP,

DB2

• Real-time: up-to-the-second, timely data

• “Log analysis”

• “Big SIEM” features like correlation, point-

and-click, reports, text alerts, etc.

In conclusion …

• We have covered

– The two worlds of IT security

– Why and How to get real-time

event alerts by making your

mainframe part of your overall

enterprise security posture

– A brief introduction to SIEMs

• Thank you!


Questions?


For more information …

• www.CorreLog.com

• [email protected]

• [email protected]

Local rep: Brian Cain

(877) CorreLog x.413 | C: (239) 839-8627

(239) 514-3331 x.413 | F: (239) 687-3505

http://www.correlog.com/




Legal

• Trademarks – CorreLog® is a registered trademark, and dbDefender is a trademark, of CorreLog, Inc.

– The following terms are trademarks of the IBM Corporation in the United States or other countries or both: DB2®, IBM®, MVS, Q1®, QRadar®, RACF, System z, Tivoli®, z/OS®, zSecure®, zSeries®

– ACF2® and Top Secret® are registered trademarks of CA Inc.

– ArcSight is a trademark of Hewlett-Packard Development Company, L.P.

– Gartner® is a registered trademark of Gartner, Inc.

– LogRhythm is a trademark of LogRhythm, Inc.

– McAfee® is a registered trademark of McAfee, Inc.

– PCI Security Standards Council is a trademark of The PCI Security Standards Council LLC.

– Splunk® is a registered trademark of Splunk, Inc.

– UNIX® is a registered trademark of The Open Group.

– Vanguard Integrity Professionals is a trademark of Vanguard Integrity Professionals

– Windows® is a registered trademark of Microsoft Corporation.

– Other company, product, or service names may be trademarks or service marks of others. No association with CorreLog, Inc. is implied.

• We acknowledge the PCI DSS Requirements and Security Assessment Procedures, Version 2.0, Copyright 2010 PCI Security Standards Council LLC.

InfoSecCon - CorreLog Peter Mills_final

Documents

Transcript of InfoSecCon - CorreLog Peter Mills_final